A number of vulnerabilities have been discovered in the Qualcomm chipsets used in many Android handsets from many of the leading manufacturers. Exploitation of these vulnerabilities could allow an unauthorised user to take full control of an Android device but in order to do so an authorised user would first need to install a malicious app.
Google have stated that three of the four vulnerabilities have been patched with the fourth due in September, although updates will take longer to reach devices depending on manufacturer and carrier.
What is it?
Four previously undisclosed security vulnerabilities have been found in the software drivers that ship with Qualcomm chipsets which, if exploited, could allow an unauthorised user to take full control of an affected device.
Which products are affected?
All versions of Android phones using Qualcomm chipsets are vulnerable to this flaw, estimated to be some 900 million to 1 billion devices.
Many of the latest and most popular Android devices found on the market today use these chipsets, including:
- BlackBerry Priv
- Blackphone 1 and Blackphone 2
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
What could happen if the vulnerabilities were exploited?
An attacker would have to trick a user into installing a malicious app, which unlike some malware would not require any special permissions. Most Android phones default to disallow apps from being installed from outside of the Google Play app store, which provides some protection, although attackers have found ways around this in the past.
If any of the vulnerabilities are successfully exploited, an attacker can gain root access, which gives the attacker full access to an affected Android device.
How can I find out if I am at risk?
To determine what processor is installed in a particular device refer to manufacturers specifications.
What can I do?
There is no workaround or mitigation until Google release the September 2016 security release.
Google have stated three of the four flaws have already been fixed with the fourth due in to be included in this September update. This update will be rolled out to Nexus devices on release but may take significantly longer to reach other devices depending on manufacturer and carrier.
Organisations should satisfy themselves on the authenticity and provenance of any apps installed on corporate devices and where possible avoid installing apps from outside of the Google Play App Store.
Where can I find more information?
A full breakdown of the vulnerabilities is available on the Defcon website. More detail is also available via Check Point’s blog.